Updated the patch to allow % signs in the token.
Also, passing the token through urldecode() per Google's AuthSub spec.
Thanks to @katybeth for the original report from #14566.
Thanks to @paulbert for suggesting the change to the regex.